diff --git a/.github/workflows/qa-tests.yml b/.github/workflows/qa-tests.yml index 8e9bc5b68..6371610ff 100644 --- a/.github/workflows/qa-tests.yml +++ b/.github/workflows/qa-tests.yml @@ -56,7 +56,7 @@ jobs: cp firewall-node/.github/workflows/Dockerfile.qa zen-demo-nodejs/Dockerfile - name: Run Firewall QA Tests - uses: AikidoSec/firewall-tester-action@releases/v1 + uses: AikidoSec/firewall-tester-action@v1.0.1 with: dockerfile_path: ./zen-demo-nodejs/Dockerfile app_port: 3000 diff --git a/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts b/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts index fb18fd5d3..2ef9e2880 100644 --- a/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts +++ b/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts @@ -8,7 +8,7 @@ export type SuspiciousRequest = { }; export class AttackWaveDetector { - private suspiciousRequestsCounts: LRUMap; + private suspiciousRequestsCounts: LRUMap; private suspiciousRequestsSamples: LRUMap; private sentEventsMap: LRUMap; @@ -80,14 +80,24 @@ export class AttackWaveDetector { return false; } - const suspiciousRequests = (this.suspiciousRequestsCounts.get(ip) || 0) + 1; - this.suspiciousRequestsCounts.set(ip, suspiciousRequests); + const currentTime = performance.now(); + const requestTimestamps = this.suspiciousRequestsCounts.get(ip) || []; + + const filteredTimestamps = requestTimestamps.filter( + (timestamp) => currentTime - timestamp <= this.attackWaveTimeFrame + ); + + filteredTimestamps.push(currentTime); + + this.suspiciousRequestsCounts.set(ip, filteredTimestamps); this.trackSample(ip, { method: context.method, url: context.url, }); + const suspiciousRequests = filteredTimestamps.length; + if (suspiciousRequests < this.attackWaveThreshold) { return false; }